[Snort-sigs] phpBB remote code execution detection rule (final)

M. Shirk shirkdog_list at ...12...
Wed Dec 1 10:29:04 EST 2004


>From: hchemin at ...2848...
>To: "M. Shirk" <shirkdog_list at ...12...>
>Subject: RE: [Snort-sigs] phpBB remote code execution detection rule 
>(final)
>Date: Wed,  1 Dec 2004 11:10:50 -0700
>
>viewtopic.php?t=#&highlight=%2527%252emysql_query
>I was able to replicate and exploit a test site running 2.08 version of 
>phpbb

Ok, we just need to change the uricontent to look for the PHP function 
mysql_query:

Try this:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
phpBB Highlighting SQL Injection <2.0.11";
flow:to_server,established; uricontent:"/viewtopic.php?t="; nocase;
uricontent:"&highlight='.mysql_query("; nocase;
reference:url,www.securiteam.com/unixfocus/6Z00R2ABPY.html; sid:2001999; 
rev:1;)

Shirkdog
http://www.shirkdog.us

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar – get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/


More information about the Snort-sigs mailing list